Last active
December 16, 2015 16:19
-
-
Save Pross/5461836 to your computer and use it in GitHub Desktop.
DenyHosts for wordpress
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| Plugin Name: DenyHosts | |
| Plugin URI: http://pross.org.uk | |
| Description: Block bad login attempts. | |
| Version: 1.0 | |
| Author: Pross | |
| */ | |
| class DenyHosts { | |
| var $block_init = 1; // set to 1 to check bans on init action too. | |
| function __construct() { | |
| if( $this->block_init && '/wp-login.php' == $_SERVER['REQUEST_URI'] ) | |
| add_action( 'init', array( &$this, 'check_bans' ) ); | |
| add_action( 'login_head', array( &$this, 'check_bans' ) ); | |
| add_action('wp_login_failed', array( &$this, 'failed_attempt' ) ); | |
| } | |
| function check_bans() { | |
| $data = get_option( 'denyhosts_bans', array() ); | |
| $ip = $_SERVER['REMOTE_ADDR']; | |
| if( $data[ $ip ] ) | |
| $this->block(); | |
| } | |
| function failed_attempt() { | |
| $data = get_option( 'denyhosts_temp', array() ); | |
| $ip = $_SERVER['REMOTE_ADDR']; | |
| if( $data[ $ip ] > 3 ) | |
| $this->add_ban( $ip ); | |
| if( isset( $data[ $ip ] ) ) | |
| $data[ $ip ]++; | |
| else | |
| $data[ $ip ] = 1; | |
| update_option( 'denyhosts_temp', $data ); | |
| } | |
| function add_ban( $ip ) { | |
| $data = get_option( 'denyhosts_bans', array() ); | |
| $data[ $ip ] = 1; | |
| update_option( 'denyhosts_bans', $data ); | |
| $temps = get_option( 'denyhosts_temp' ); | |
| unset( $temps[ $ip ] ); | |
| update_option( 'denyhosts_temp', $temps ); | |
| wp_mail( get_option( 'admin_email' ), 'IP BLOCKED', sprintf( 'IP: %s has just been blocked on %s. Total IPs blocked: %s', $ip, get_option( 'blogname' ), count( $data ) ) ); | |
| $this->block(); | |
| } | |
| function block() { | |
| if( $this->block_init ) { | |
| header("Status: 403 Forbidden"); | |
| die( '<h1>Access Denied.</h1>'); | |
| } | |
| ?> | |
| <style type="text/css">html{background:#f9f9f9;}body{background:#fff;color:#333;font-family:sans-serif;-webkit-border-radius:3px;border-radius:3px;border:1px solid #dfdfdf;max-width:700px;height:auto;margin:2em auto;padding:1em 2em;}h1{border-bottom:1px solid #dadada;clear:both;color:#666;font:24px Georgia, "Times New Roman", Times, serif;margin:30px 0 0;padding:0 0 7px;}#error-page{margin-top:50px;}#error-page p{font-size:14px;line-height:1.5;margin:25px 0 20px;}#error-page code{font-family:Consolas, Monaco, monospace;}</style></head> | |
| <body id='error-page'> | |
| <?php printf( '<h1>Access Denied!</h1><p>Your IP <strong>%s</strong> has been blocked and logged.</p></body></html>', $_SERVER['REMOTE_ADDR'] ); | |
| exit(); | |
| } | |
| } | |
| new DenyHosts; |
Yea i thought of that, but if its on the login page, headers are already sent.
Actually yea, updated with a 403 if its set to block on 'init'
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the function
block(), maybe you should return a proper status code as well, instead of returning200.